Ask the Expert: Zone Based Firewall

Welcome to the Cisco Support Community Ask the Expert conversation. Learn from Cisco expert Ashish Jhaldiyal about Zone-Based Policy Firewall also known as Zone-Policy Firewall, or ZFW.

Ashish is a senior TAC engineer at Cisco Systems and his expertise is in Network Security, Intrusion Prevention Systems and Zone based firewall. He has over 5 years of experience in the field of networking and specializes in Firewall and Wireshark.

Remember to use the rating system to let Ashish know if you have received an adequate response.

Ashish might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event is a continuation of the Facebook Forum. Visit this forum often to view responses to your questions and the questions of other community members. This event lasts through March 30, 2012.

Currently, In zone-based firewall there is no way to defined a VPN encrypted traffic in a policy-map. This means after decrypting an ESP packet router will treat it as a normal packet and it will enforce all rules applied for outside to inside traffic.

Router can't differentiate between a normal packet and packet which came through VPN tunnel. Cisco ASA's has this feature "sysopt connection permit-vpn" which allows esp packets to bypass any Access-list applied on Inerface.

Where I have attempted this in practice, the "match protocol" commands on the self-zone with TCP, UDP, ICMP, and H323 appear to have no affect on the traffic flow in either direction. I had to create separate rules for my traffic with the "pass" associated just as the above example. Can you clarify that part of the document and tell me why I would both need to "match" the protocol and then create an ACL to allow the traffic to pass as the above document is written?